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The security solution for existing broadband connections 




Built for Business 

Many small and midsize businesses (SMB) 
and their teleworkers have broadband 
Internet access but no security — a 
situation that was acceptable a few 
years ago but is no longer. Increasingly, 
SMB customers recognize the urgency 
of protecting corporate and customer 
information as it travels over the 
Internet and resides in connected PCs. 
Furthermore, they are beginning to see 
the value in having an IP-application 
ready network which will allow them to 
take advantage of cost-reducing solutions 
such voice over IP (VoIP) and video over 
IP. However, until now, SMBs that wanted 
to secure their existing broadband 
connections and create an infrastructure 
for IP applications were forced to choose 
between high-end security appliances 
designed for the enterprise market or low- 
end solutions intended for consumers. 

Now businesses have a new choice. 
A flexible, all-in-one application-ready 
security router solution, the SpeedStream 
5880 Broadband Security Router delivers 
the most useful features of enterprise- 
class routers at a much lower price. And 
because the SpeedStream 5880 Broadband 
Security Router is compatible with all 
broadband connection methods — T1, DSL, 
cable, and fixed wireless — businesses can 
simplify deployment by using the same 
solution for all branch offices, regardless 
of their access method. 



Enterprise-grade features for small and 
medium businesses 

Sitting between the local area network 
and the broadband modem, the 
SpeedStream 5880 Broadband Security 
Router enables enterprise-class security 
and IP-applications such as firewall, 
virtual private networking (VPN), voice 
and video over IP, and high availability. 
SMBs need these capabilities but, unlike 
enterprise customers, typically don't have 
the resources to purchase and manage 
numerous devices. By incorporating 
multiple capabilities within one device, the 
SMBs can easily deploy and manage these 
services through a single interface. 

With the SpeedStream 5880, businesses 
can easily deploy these capabilities at the 
time of initial installation or add these 
services over time, depending on their 
business needs. Capabilities include: 

Firewall — An integrated ICSA-certified 
stateful inspection firewall protects 
applications and data from hackers. 

Secure VPN— The SMB can deploy VPNs 
to ensure that data travels securely 
to and from offices. The easy-to-use 
interface allows these capabilities to be 
easily setup and managed with little to 
no training. 

Demilitarized Zone (DMZ) — Businesses 
can connect to a computer host or small 
network inserted as a "neutral" zone 



between the company's highly secure, 
private network and the outside public 
network. This enables the company 
to protect their main servers while 
providing services, such as an extranet 
for customers, suppliers or vendors, 
without compromising their internal 
network. 

High availability — The SpeedStream 
5880 Broadband Security Router 
supports high availability with dial 
backup functionality and virtual 
router redundancy protocol (VRRP) 
support. The router can detect if the 
broadband connection is unavailable 
and automatically establishes a dial-up 
connection with the service provider. In 
addition, the router will automatically 
reroute traffic to an alternate router if 
the WAN link or IP datapath fails 

Breakthrough price 

Unlike enterprise-class security appliances, 
which deliver specialized features that 
SMBs just don't need, the SpeedStream 
5880 Broadband Security Router provides 
the essentials for secure broadband 
access and the infrastructure for IP 
applications. By incorporating all these 
necessary functions of advanced routing, 
security, and IP-application support, the 
SpeedStream 5880 Broadband Security 
Router makes broadband security and 
applications affordable for SMBs. 
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Figure 2: The easy-to-use interface accelerates setup 
of VPN and firewall services. 



The SpeedStream 5880 Broadband 
Security Router meets urgent business 
needs of SMBs: securely interconnecting 
small offices and teleworkers, adding 
security to existing broadband 
connections, and providing the 
infrastructure for IP applications. 

Secure Connectivity for Small 
Offices 

Many SMBs want to enable secure 
broadband communications among 
their headquarters, branch offices, and 
teleworkers. In addition, they want to take 
advantage of cost-reducing applications 
such as VoIP and video over IP. Using 
SpeedStream 5880 Broadband Security 
Routers, the customer can quickly establish 
secure VPNs between headquarters and 
every location. Using the DMZ port, the 
customer can establish an extranet for their 
suppliers and vendors — allowing access 
to technical documents, configuration 
notes, and software uploads — while 
protecting their highly sensitive corporate 
information. Furthermore, the customer 
can implement voice and video over IP 
between the offices, thereby eliminating 
inter-office toll and long distance charges. 
The router automatically provides priority 
to real-time applications, such as VoIP, 
using the built-in IP Quality of Service (IP 
QoS) feature. This ensures high-quality in 
delay-sensitive applications. 

Retail Point-of-Sale (POS) Network 
Connectivity 

Retail organizations need to link multiple 
outlets with corporate resources such as 



accounting and inventory databases. 
They also need a secure way to perform 
point-of-sales (POS) activities and 
Electronic Fund Transfers (EFTs). In many 
cases, these businesses rely on insecure 
broadband connections and dialup access. 

By installing SpeedStream 5880 
Broadband Security Routers behind 
existing broadband modems, the 
company can create a VPN that securely 
connects outlets to headquarters, as 
well as a firewall that protects customer 
and corporate data on the LAN from 
malicious attacks. Furthermore, a secure 
broadband infrastructure is created where 
IP applications can be utilized. Point-of- 
sale transactions and EFTs can now be 
executed over the Internet using a secure 
VPN tunnel. Dedicated dialup lines can 
be removed and long distance and toll 
charges are eliminated. 

Simple management 
Ease of management greatly affects the 
cost of deploying solutions to remote sites. 
The SpeedStream 5880 Broadband Security 
Router features an intuitive interface 
that the customer can use to quickly set 
up VPN and firewall features. Role-based 
management allows the customer to select 
which functions are managed locally and 
which will be managed centrally. Simple, 
secure management enables the customer 
to roll out VPN and firewall services for 
their branch offices and teleworkers 
quickly, minimizing deployment and 
operational expenses (Figure 2). 



Retail Outlet 1 



Retail Outlet 2 




Figure 1 : A high-performance Secure VPN based on the SpeedStream 5880 Broadband Security Router interconnects 
headquarters with retail outlets and enables POS and EFT transactions. 



Feature 



Benefit 



Enterprise-Grade Security 

Basic Business Firewall 



ICSA-Certified Stateful Inspection Firewall 

Secure Virtual Private Network (VPN) with IPSec, IKE, 
and 3DES encryption 

DMZ port 



VPN Encryption Engine 



Secures users' networks from suspicious packets and denial of service 
attacks with four, easy-to-implement preset security level configurations, 
customization capabilities, and detailed event logs 

Provides enterprise-grade security to users who need further assurance for 
business sensitive data and applications 

Secures the datapath from interception, examination, alteration or DES, 
corruption by authenticating and encrypting data for all authorized 
network clients 

Enables a computer host or small network to be included in a "neutral" 
zone between a company's high security, private network and the outside 
public network 

Accelerates IPSec, DES, and 3DES performance by providing hardware 
support for encryption processing 



Powerful, Secure Management 

Remote and local management 



Secure management 



Role-based management 



RADIUS management authentication 



Maximizes opportunities for managed services by providing tools to allow 
management over SNMP, Telnet, HTTP, or the console port. On-board 
scripting engine simplifies development of standard configuration scripts 
for mass-deployment 

Protects administrative access and communications with IPSec and SSH for 
authentication and encryption 

Enables multi-level managed services by restricting the ability to view or 
change the configuration with up to 4 different predefined roles (up to 1 5 
user names in the local database) 

Reduces the cost of management by authenticating administrators in a 
single database 



IP Quality of Service 

Weighted Fair Queuing (WFQ) 
DiffServ 



Enables value-added services by optimizing router throughput based on 
real-time or other latency sensitive traffic types 

Enables differentiated services and SLAs by optimizing end-to-end 
throughput based on traffic types 



High Availability 

External dial backup 

Virtual Router Redundancy Protocol (VRRP) 



Maximizes uptime by automatically using an external modem to connect 
to the Internet if the WAN link or IP datapath fails 

Maximizes uptime by automatically rerouting traffic to an alternate router 
if the WAN link or IP datapath fails 



Simplified Deployment 



Self-installation 



Easy diagnostics 



Network address translation (NAT/NAPT) 



4-port 10/1 OOBase-T Ethernet switch 



Enables users to self-install services with no additional software 
and minimal knowledge of service and networking settings 
through any Web browser 

Simplifies self-installation by allowing users to access critical 
information to troubleshoot and correct issues without on-site 
technical help 

Simplifies IP address assignment by hiding the address information 
of the end-user's local network 

Provides optimal LAN connectivity and performance 



Reliable Investment 

Single, integrated solution 

Platform and operating system independent 



Provides a single point of management which minimizes 
deployment and support costs and space required 

Reduces the cost of operations, due to interoperability with the 
IEEE 802.3 standards 



Software Features 

Security 

Secure Monogement 

• User authentication (PAP/CHAP) with PPP (RFC 1 334, 
RFC 1994) 

• Password control for configuration manager 

• SNMP community name reassignment 

• Telnet/SNMP port reassignment/Access Control List 

• Role-based management 

- Four pre-configured templates 

- Up to 1 5 user names stored in the local database 

• RADIUS management authentication support 

• SSH and IPSec secure management channels 

Basic Business Firewall 

• Filter on source and/or destination IP address/port value 

• Filter on SYN, ACK flags and ICMP 

• Apply input, output, transmit, and receive filters on 
each interface 

• Stateful inspection when NAT is enabled 

• Logging and scripting 

ICSA-Compliant Stateful Inspection Firewall 

• Provides enterprise-grade firewall protection from 

- Common Denial of Service (DoS) attacks and 
exploits including Killwin, Land, Ping of Death, 
Smurf, Teardrop, Tiny Fragments, and WinNuke 

- Distributed Denial of Service (DDoS) attacks 
including ICMP, SYN and UDP floods 

- Other hacking attacks including IP address 
sweeping, IP spoofing, port scanning 

• Opens ports to serve legitimate requests and 
automatically closes them when the request or 
session ends 

• Full-time Stateful Packet Inspection with built-in 
support for most popular applications 

• No pre-defined limit on the number of rules that can be 
created and applied 

• All firewall messages can be logged to the router 
console and to syslog servers 

• Maintains a log of the most recently dropped packets in 
the browser-based user interface 

Secure Virtual Private Networking 

• L2TP, IPSec, and L2TP inside of IPSec 

• No pre-defined limit on VPN tunnels 

• IPSec Tunnel and Transport modes with AH and ESP 

• Internet Key Exchange (IKE) including Aggressive Mode 

• DES (56-bit) and 3DES (1 68-bit) encryption 

• Supports Perfect Forward Secrecy (DH Groups 1 and 2) 

• Provides protection from replay attacks 

• Implements RFCs 1321, 1828, 1829, 2085, 2104, 
2401-2410, 2412, 2420, 2437, 2451, and 2631 
(Groups 1 and 2) 

Configuration, Management 
and Monitoring 

• Easy setup through a browser-based user interface 

• Configuration and management using HTTP, serial 
console, SNMP, SSH, or Telnet 

• Out-of-band configuration and management using 
serial console port 



• Supports dedicated routed management PVC in bridged 
and routed mode 

• TFTP download/upload of new software, configuration 
files, and scripts 

• Stores backup copy of firmware on dual bank flash 
memory for system recovery 

• Performance monitoring data available using SNMP 

• Dynamic event and history logging 

• Network boot using a BootP server (RFC 2131, 
RFC 21 32) 

• Syslog server support 

IP Quality of Service (IP QoS) 

• DiffServ traffic prioritization through ToS byte marking 

• Weighted Fair Queuing traffic prioritization 

• Configurable queue weighting 

• Configurable traffic prioritization policies by 

- Date, day of week, and time 

- Source and destination addresses 

- Port, protocol, and application 

High Availability 

• Dial backup support - Integrated v.90 modem 

• Virtual Router Redundancy Protocol (VRRP) (RFC 2338) 
for failover support to other VRRP-capable routers 

Protocols 

ATM 

• Encapsulation (IP, Bridging, and Bridge Encapsulated 
Routing) (RFC 2684/1483) 

• PPP over ATM (LLC and VC multiplexing) (RFC 2364) 

• Classical IP over ATM (RFC 2225) 

• Classical IP (RFC 1577) 

• AAL5 

• Virtual Circuit (VC) traffic shaping (CBR, PCR, UBR, VBR) 

• No pre-defined limit on VCs 

• 1.610 OAM F5 end-to-end and segment LoopBack 

• Initiates and responds to LoopBack signaling 

Frame Relay 

• Support of frame relay ANSI T1 .61 8 and CCITT Q.922 
formats 

• DLCI support 

• Inverse ARP support 

• LMI support including LMI protocol discovery 

• LLCP auto-update 

• CIR & EIR rate enforcement 

• Network congestion management 

PPP (RFC 1661, RFC 2364) 

• PPP over Ethernet (RFC 251 6) 

• PPP over ATM (RFC 2364) 

• Bridging (RFC 1638) 

• IP Routing (RFC 1331) 

• IPX Routing (RFC 1552) 

• Multiclass extensions to MLPPP (RFC 2686) 

• MLPPP (RFC 1990) 

• Data compression of up to 4:1 (STAC™ LZS) (RFC 1 974) 

• Van Jacobson header compression (RFC 1 1 44) 

• Spoofing and filtering (IP-RIP, IPX-RIP, SAP, Watchdog 
serialization) 

• Automatic IP and DNS assignment (RFC 1877) 



Routing 

• TCP/IP with RIP1 (RFC 1058), RIP1 -compatible and RIP2 
(RFC 1 389), or static routing on the LAN and/or WAN 

• Novell® IPX with RIP/SAP (RFC 1552) 

• DHCP server (RFC 21 31 , RFC 21 32), relay agent (RFC 
1542), and client (RFC 21 32) 

- Automatically defers to other DHCP servers on 
the network 

- Automatically adjusts to changes in LAN IP 
addressing 

- No pre-defined limit on DHCP clients 

• DNS relay 

• Multiple subnets on the LAN support NAT, RIP1 , RIP2, 
ARP and IP filters 

• Virtual routes can be defined based on user IP addresses 
or ranges 

IP Address Translation 

• Network renumbering (RFC 1 631) 

• Network Address Translation (NAT/PAT/NAPT) 

• NAT passthrough support for numerous applications 
including IPSec, PPTP, H.323, SIP and NetMeeting 

• Supports public Web and e-mail servers with NAT 

Hardware Features 

WAN Interface 

• 1 -1 0/1 00Base-T port 

LAN Interface 

• Built-in 4-port 1 0/1 OOBase-T Ethernet switch 

• Port 1 can be designated as the DMZ port 

Serial Interface 

• One asynchronous serial console port 

VPN Encryption Engine 

• Hardware acclerates IPSec and DES/3DES encryption 
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